SB2024072125 - openEuler 24.03 LTS update for exiv2

Description

This security bulletin contains information about 14 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2024-39695)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the parser for the ASF video format in AsfVideo::streamProperties(). A remote attacker can pass a specially crafted media file to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.

2) Information disclosure (CVE-ID: CVE-2016-5479)

The vulnerability allows a remote authenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA component and lets attacker obtain arbitrary files.
Successful exploitation of the vulnerability results in disclosure of information on the vulnerable system.

3) Information disclosure (CVE-ID: CVE-2016-5621)

The vulnerability allows a remote authenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA component and lets attacker obtain arbitrary files.
Successful exploitation of the vulnerability results in disclosure of information on the vulnerable system.

4) Information disclosure (CVE-ID: CVE-2016-5603)

The vulnerability allows a remote authenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA component and lets attacker obtain arbitrary files.
Successful exploitation of the vulnerability results in disclosure of information on the vulnerable system.

5) Information disclosure (CVE-ID: CVE-2016-5594)

The vulnerability allows a remote authenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA component and lets attacker obtain arbitrary files.
Successful exploitation of the vulnerability results in disclosure of information on the vulnerable system.

6) Information disclosure (CVE-ID: CVE-2016-5490)

The vulnerability allows a local user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA component and lets attacker  obtain arbitrary files.
Successful exploitation of the vulnerability results in disclosure of information on the vulnerable system.

7) Information disclosure (CVE-ID: CVE-2016-5493)

The vulnerability allows a remote authenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Private Banking Admin component and lets attacker partially obtain and partially modify arbitrary files.
Successful exploitation of the vulnerability results in disclosure and partial modification of information on the vulnerable system.

8) Information disclosure (CVE-ID: CVE-2016-5620)

The vulnerability allows a remote authenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA componentt and lets attacker partially obtain and partially modify arbitrary files.
Successful exploitation of the vulnerability results in disclosure and partial modification of information on the vulnerable system.

9) Information disclosure (CVE-ID: CVE-2016-5502)

The vulnerability allows a remote authenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA componentt and lets attacker partially obtain and partially modify arbitrary files.
Successful exploitation of the vulnerability results in disclosure and partial modification of information on the vulnerable system.

10) Information disclosure (CVE-ID: CVE-2016-5569)

The vulnerability allows a remote authenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Enterprise Limits and Collateral Management Limits and Collateral component and lets attacker partially obtain and partially modify arbitrary files.
Successful exploitation of the vulnerability results in disclosure and partial modification of information on the vulnerable system.

11) Information disclosure (CVE-ID: CVE-2016-5543)

The vulnerability allows a remote unauthenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Enterprise Limits and Collateral Management INFRA component and lets attacker partially obtain and partially modify arbitrary files.
Successful exploitation of the vulnerability results in disclosure and partial modification of information on the vulnerable system.

12) Information disclosure (CVE-ID: CVE-2016-5619)

The vulnerability allows a remote authenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA component and lets attacker obtain and modify arbitrary files.
Successful exploitation of the vulnerability results in disclosure and modification of information on the vulnerable system.

13) Information disclosure (CVE-ID: CVE-2016-5622)

The vulnerability allows a remote unauthenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA component and lets attacker obtain and partially modify arbitrary files.
Successful exploitation of the vulnerability results in disclosure and partial modification of information on the vulnerable system.

14) Privilege escalation (CVE-ID: CVE-2016-5607)

The vulnerability allows a remote authenticated user to gain elevated privileges on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Universal Banking INFRA component and lets attacker increase his privileges.
Successful exploitation of the vulnerability results in privilege escalation on the vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1841